Evolution of Ransomware

In 2012 when Ransomware first emerged, there were a limited number of methods which hackers could use to effectively access a users device and then lock their files. Today, thanks to the huge growth in web development, there are millions of tools which can be used and techniques deployed to achieve this goal.

This multitude of ways has created a culture of variants, many of which are far more sophisticated and destructive than the original techniques which they emulate. In 2017, viruses now encrypt not just the files on the infected device, but also the contents of shared or networked drives, externally attached storage media devices, and even cloud storage services that are mapped to infected computers. This makes them tough to track and extremely difficult to destroy completely.

Moreover, today’s variants are considered more destructive because they are often more aggressive versions which often take time to remove and be more costly to recover from. Indeed the methods used to hide their source and new tools hackers use enable them to connect directly into corrupted systems and expose serious flaws in the large, clunky operating systems.

Ransomware authors now use anonymising services like “Tor 3” for hidden end-to-end communication to infected systems and Bitcoin virtual currency to collect ransom payments, meaning, in real terms, these individuals are far less likely to be caught. This makes them extremely dangerous for business.

Over the past year alone, the instances of companies becoming the victim of Ransomware attacks have risen by 300%.

Currently, the top five ransomware variants targeting companies are CryptoWall, CTBLocker, TeslaCrypt, MSIL/Samas, and Locky, however new Ransomware variants, such as Wannacry and SamSam are continually emerging daily, each with new powerful techniques to make recovery more and more difficult.

Alarmingly, less than half of all Ransomware victims fully recover their data, even with backup.

What to watch out for

The majority of viruses are spread by email. Be mindful of attachments and do not even open emails from people you do not recognise. Over 80% of viruses employ a macro that will use a simple Microsoft exploit to override safety measures. Systems which have not been updated recently are at far greater risk.

What to do if you think you have picked up a virus.

Immediately turn off the infected device.

Call your IT support Team.

Follow their Instructions.

Note: be concise when you call and ensure you use the proper technical terms.

As long as you follow these instructions quickly and have the backups in place, your chance of successful recovery is extremely high.

If you need immediate help or advice then call KJL now on 01268627111 and our IT Security Team can either make sure you are protected against Ransomware or help you get back up and running as soon as possible.

More about the types of Ransomware

CryptoWall

CryptoWall has been actively used to target victims since April 2014.

CryptoWall was the first ransomware variant that only accepted ransom payments in Bitcoin. The ransom amounts associated with CryptoWall are typically between $200 and $10,000. Following the takedown of the CryptoLocker botnet, CryptoWall has become the most successful ransomware variant with victims all over the world.

Between April 2014 and June 2015, IC3 received 992 CryptoWall-related complaints, with victims reporting losses totalling over $18 million. CryptoWall is primarily spread via spam email but also infects victims through drive-by downloads5 and malvertising6

CTB-Locker

CTB-Locker emerged in June 2014 and is one of the first ransomware variants to use Tor for its C2 infrastructure.

CTB-Locker uses Tor exclusively for its C2 servers and only connects to the C2 after encrypting victims’ files. Additionally, unlike other ransomware variants that utilize the Tor network for some communication, the Tor components are embedded in the CTBLocker malware, making it more efficient and harder to detect.

CTB-Locker is spread through drive-by downloads and spam emails.

TeslaCrypt

TeslaCrypt emerged in February 2015, initially targeting the video game community by encrypting gaming files. These files were targeted in addition to the files typically targeted by ransomware (documents, images, and database files). Once the data was encrypted, TeslaCrypt attempted to delete all Shadow Volume Copies and system restore points to prevent file recovery.

TeslaCrypt was distributed through the Angler, Sweet Orange, and Nuclear exploit kits. MSIL or Samas (SAMSAM) MSIL or Samas (SAMSAM) was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application.

SAMSAM exploits vulnerable Java-based Web servers. SAMSAM uses open-source tools to identify and compile a list of hosts reporting to the victim’s active directory. The actors then use psexec.exe to distribute the malware to each host on the network and encrypt most of the files on the system. The actors charge varying amounts in Bitcoin to provide the decryption keys to the victim.

Locky

In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to businesses globally, including those in the United States, New Zealand, Australia, Germany and the United Kingdom.

Locky propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip) that were previously associated with banking Trojans such as Dridex and Pony. The malicious attachments contain macros or JavaScript files to download the Locky files. Recently, this ransomware has also been distributed using the Nuclear Exploit Kit

Links to Other Types of Malware

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically was infected by opening a malicious attachment from an email. This malicious attachment contained Upatre, a downloader, which infected the user with GameOver Zeus.

GameOver Zeus was a variant of the Zeus Trojan used to steal banking information and other types of data. After a system became infected with GameOver Zeus, Upatre would also download CryptoLocker.

Finally, CryptoLocker encrypted files on the infected system and demanded a ransom payment. The disruption operation against the GameOver Zeus botnet also affected CryptoLocker, demonstrating the close ties between ransomware and other types of malware.

In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOverZeus and CryptoLocker.